CVE-2024-47596
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in the qtdemux_parse_svq3_stsd_data function within qtdemux.c. In the FOURCC_SMI_ case, seqh_size is read from the input file without proper validation. If seqh_size is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to gst_buffer_fill, which internally uses memcpy. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.
Analysis
An out-of-bounds read vulnerability in GStreamer's QuickTime demuxer allows remote attackers to read up to 4GB of process memory or crash the application when processing malformed media files. The vulnerability affects all GStreamer versions prior to 1.24.10 and can be triggered without authentication by supplying specially crafted QuickTime files. While not currently in CISA's Known Exploited Vulnerabilities catalog, the low EPSS score of 0.08% suggests limited exploitation in the wild despite the availability of detailed technical advisories.
Technical Context
GStreamer is a widely-used open-source multimedia framework for constructing media processing pipelines, identified by CPE cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability occurs in the qtdemux_parse_svq3_stsd_data function within qtdemux.c when processing SVQ3 (Sorenson Video 3) codec data in QuickTime containers. This is a classic CWE-125 out-of-bounds read where the seqh_size parameter is read from untrusted input without proper bounds checking before being used in a memcpy operation via gst_buffer_fill. The FOURCC_SMI_ case handler fails to validate that sufficient data remains in the buffer before attempting to read seqh_size bytes, potentially accessing memory beyond the allocated buffer boundaries.
Affected Products
GStreamer multimedia framework versions prior to 1.24.10 are affected by this vulnerability, as confirmed by the CPE identifier cpe:2.3:a:gstreamer:gstreamer:*:*:*:*:*:*:*:*. The vulnerability specifically impacts the QuickTime demuxer component used for parsing QuickTime and MP4 media files. Debian has issued security updates for their Long Term Support releases as noted in their advisory at https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html. The official GStreamer security advisory is available at https://gstreamer.freedesktop.org/security/sa-2024-0015.html with complete technical details.
Remediation
Upgrade GStreamer to version 1.24.10 or later, which contains the fix for this vulnerability as documented in merge request https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8059.patch. For systems that cannot be immediately updated, consider implementing input validation for media files before processing with GStreamer, restricting the processing of untrusted QuickTime/MP4 files, or running GStreamer-based applications in sandboxed environments with limited memory access. Debian users should apply the security updates referenced in https://lists.debian.org/debian-lts-announce/2025/02/msg00035.html. Monitor the vendor security page at https://gstreamer.freedesktop.org/security/ for any additional guidance or updates.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today